Procurement Language for Supply Chain Cyber Assurance
|
|
- Mildred Lynette Harris
- 6 years ago
- Views:
Transcription
1 Procurement Language for Supply Chain Cyber Assurance
2 Procurement Language for Supply Chain Cyber Assurance Introduction For optimal viewing of this PDF, please view in Adobe Acrobat. This document serves as a minimal set of requirements for any supplier providing network-connectable software, systems, or devices as part of a contractual bid to. A description of the required methods by which features and functions of network-connectable devices are expected to be evaluated at the product level and tested for known vulnerabilities and software security weaknesses while also establishing a minimum set of verification activities intended to reduce the likelihood of exploitable weaknesses that could be vectors of zeroday exploits that may affect the device are articulated throughout this document. While this document serves as a minimal set of requirements, expects that suppliers will remain conscious of the dynamic nature of cybersecurity and provide incremental improvements as needed, which shall consider for inclusion in future versions of this document. Suppliers shall be required to provide with any and all requested artifacts as evidence that the supplier is in compliance with stated requirements. Scope These requirements applies to (but is not limited to) the following: Application Software Embedded Software Firmware Drivers Middleware Operating Systems The requirements in this document are derived from various industry standards, guidelines, and other documents including, but not limited to: IEC ISO NIST SP NIST SP DHS Cyber Security Procurement Language for Control Systems ISA EDSA FIPS Common Criteria Smartcard IC Platform Protection Profile Mayo Clinic Technology and Security Requirements Procurement Language UL 2900 The requirements in this document apply to devices, software or software services that will be referred to as product throughout this document. The product can be connected to a network (public or private) and may be used as part of a system. These requirements are applicable to products that contain software where unauthorized access or operation, either intentional or through misuse, of the product can impact safety, privacy, loss of data and compromise operational risks Synopsys 2
3 Glossary of Terms Robustness Test Tool specialized test tool that performs both Resource Exhaustion Tests and Invalid messages tests. Data Resource Exhaustion Tests Tests that try to exhaust a particular data handling resource of the product. An example is a test that tries to create as many concurrent TCP connections as possible. Invalid Messages Tests Tests that send incorrect data messages to the product. These messages are incorrectly structured in that they do not conform to protocol specifications either based on the structure of the message or compliance to the protocol specification. Known Vulnerability Scanner specialized test tool that performs known vulnerability scans off of a published vulnerability database Known Vulnerability vulnerability is an undocumented feature or defect which allows an outside entity to compromise the intended use and function of the product. A known vulnerability has been publicly disclosed and is typically present on a public database, such as the NIST National Vulnerability Database. Malware hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Communication Protocol Fuzz Testing the ability to transmit valid and invalid messages to the product. This allows the ability to test the product to identify any vulnerabilities that are unknown that can be uncovered by malformed inputs to the product. Static Analysis a process where a program s source code or its binary code is analyzed without executing the code. Static code analysis has the ability to examine and process source code files for security weaknesses and to identify potential vulnerabilities. Static binary analysis has the ability to examine and process compiled binaries for software components and known vulnerabilities in those components. Common Vulnerabilities and Exposures (CVE ) CVEs common names and identifiers for publicly know information security vulnerabilities Common Weakness Enumerations (CWE ) CWEs are defined software weaknesses related to architecture and design of the software. Binary Code defines machine instructions for a specific family of processor architecture Byte Code instructions that are created from source code as an intermediate step before generating machine instructions. Byte code is independent of specific processor architecture. Dynamic Runtime Analysis is the ability to examining the how the software behaves while it is executing or in operation. Penetration Testing is a mechanism of evaluation of a product, system, network or organization to identify vulnerabilities and security flaws and possibly exploit the flaws and vulnerabilities with the intent to penetrate the product, system, network and/ or organization security. The intent is to circumvent or defeat the security measures of the product. Penetration testing is a largely undefined field of study that requires specialized skills found in penetration testing professionals. Supplier The organization supplying a product or service to. Code Signing The process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash. Requirements The requirements section of this document will be broken out into the following sections: 1. Product Development Specification and Policy 2. Security Program 3. System Protection and Access Control 4. Product Testing and Verification 5. Deployment and Maintenance 3
4 The word shall precedes all requirements to indicate that they are normative. The word Note: precedes statements that are explanatory or informative. 1. Product Development Specification and Policy Supplier shall represent and warrants that it has established and implements security standards and processes that must be adhered to during all equipment and product development activities, with such security standards being designed to address potential security incidents, product vulnerability to unauthorized access, loss of functions, malware intrusion, or any other compromise to confidentiality, integrity, or availability. Supplier shall represent that its security standards practices contain include testing procedures and tools designed to ensure the security and non-vulnerability of all products and equipment. Supplier shall warrant that it will, for all products and equipment, implement failsafe features that protect the product s critical functionality, even when the product s security has been compromised. Supplier shall provide with a written copy of its Development Security Standards upon request and shall allow personnel, or a third-party identified by to view and assesses the standards. Supplier represents and warrants that, with respect to all of its products (as applicable), it meets and complies with all cyber-security guidelines and similar requirements and standards promulgated by any applicable regulatory body, where present. Supplier can provide a third-party assessment of organization s product development as a validation of the process employed. 2. Security Program Supplier shall represent and warrant that it has developed and continues to maintain a comprehensive written security program that contains administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of all of s systems and data. Supplier represents and warrants that all audits and reports, produced as part of its written security program and all reports required to be produced or made available to are able to be exported and delivered in electronic format. The supplier s written security program shall include, but may not be limited to: a. Identifying and assessing reasonably foreseeable internal and external risks to the availability, security, confidentiality, and/ or integrity of any and all supplier products, systems, servers, equipment, software, electronic, paper or other records. The written security policy shall include means of evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such supplied product(s) vulnerability and risks, including but not limited to: i. Ongoing employee (including temporary and contract employee) training; ii. Employee compliance with policies and procedures; and iii. Means for testing for, detecting and preventing security system failures on an ongoing basis. b. Regular monitoring to ensure that the written security policy is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of s systems and data, or any compromise in confidentiality, integrity, or availability of s systems and data. c. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of supplier products containing or which may access or be used to access s networks, systems and data, or compromise the confidentiality, integrity, or availability of s systems and data. d. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory postincident review of events and actions taken, if any, to make changes in business practices relating to protection of. e. Supplier can provide a third-party assessment of organization s security program as a validation of the process employed. 3. System Protection and Access Control Supplier shall demonstrate that s systems and data are protected by appropriate network security controls that prevent 4
5 unauthorized access by providing with network diagrams of supplier s environment used to provide products, equipment, maintenance and services to. a. Supplier infrastructure - Supplier shall warrant that an incident response mechanism is in place for unauthorized access or disclosure of technology and assets on the supplier infrastructure. Supplier shall have an approved C level process for notification to of unauthorized access or disclosure of technology and assets on the supplier infrastructure that may impact business operations of products and services delivered to. b. Supplier shall provide with a standard operating procedure for securing suppliers technology assets with independent evaluation and assessment where applicable and a management audit of said standard operating procedure annually. c. Communications between supplier and shall be performed with a secure mechanism. Supplier shall provide operating procedures for secure mechanism to ensure no unauthorized access or disclosure of technology and assets. d. All supplier products and services that have the capability to perform remote system maintenance, software upgrades, troubleshooting and diagnostics shall provide technical documentation on these capabilities which shall have the following at a minimum: i. Strong authentication mechanisms for access to products and services ii. Mechanism to perform any remote software downloads are: 1. Validated as an uncompromised supplier deliverable 2. Validated as an unaltered supplier deliverable 3. Validated that only that action is performed 4. Validated that it does not provide access to any other systems except for the purpose of updating the software to a supplier deliverable iii. Ability to prevent the introduction of any unwanted activity unauthorized by the supplier e. Supplier agrees that no external access to their internal networks and systems, will be permitted unless strong authentication and encryption is used for such access. Supplier represents and warrants that all internet and network communications will be encrypted and authenticated. Any necessary external communications for purposes of service or maintenance functions to be performed by supplier will be encrypted and will utilize multi-factor authentication to access any and all devices, equipment and/or applications. Supplier shall maintain an access control list for all access to the internal network from an external network and supplier agrees that any of its servers exposed to the internet that contain data or access systems run on a hardened operation system. 4. Product Testing and Verification Supplier shall perform a vulnerability assessment for any or all products that will be provided to as part of a contractual agreement, including scanning, and penetration testing by a tester of s choosing (or a tester selected by supplier and approved by ) or, in s discretion, personnel may perform such vulnerability assessment, all at no cost to. Supplier represents and warrants that it performs security testing and validation for all of its products, and that all security testing performed by supplier covers all issues noted in the SANS/CWE Top 25 and OWASP Top 10 documentation, and shall include a vulnerability scan encompassing all ports and protocols. Supplier shall provide with a test plan for all tests performed for review and approval by. The testing shall include, but not be limited to: a. Communication Robustness Testing This shall include, at a minimum, communication protocol fuzz testing to determine the ability to properly handle malformed and invalid messages for all identified communication protocols in the supplier product, as well as data resource exhaustion tests (aka load 5
6 testing and DoS testing ). Communication robustness testing shall be performed using tools that are approved by, and that produce machine-readable data. b. Software Composition Analysis This shall include, at a minimum, an analysis of all compiled code found in the supplier product and shall identify all third-party open source components, and shall, at a minimum, identify all known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE ) in publicly available databases. Software composition analysis shall be performed using tools that are approved by, and that produce machine-readable data. c. Static Source Code Analysis This shall include, at a minimum, an analysis of all available source code found in the supplier product and shall identify weaknesses enumerated by Common Weakness Enumeration (CWE ). Static source code analysis shall be performed using tools that are approved by and that produce machine-readable data. All CWE Top 25 and OWASP Top 10 issues that have not been remediated must be clearly documented as an exception. d. Dynamic Runtime Analysis This shall include, at a minimum, an analysis of how the supplier provided software behaves during operation and whether such behavior introduces potential security vulnerabilities that could negatively impact confidentiality, integrity, and availability. e. Known Malware Analysis This shall include, at a minimum, a scan of supplier provided software to determine if any known malware exists in the supplier provided software and a risk assessment on mitigation controls or value of risk. f. Bill of Materials The supplier shall provide a bill of materials that clearly identifies all known third-party software components contained in the supplier product. This shall be provided in a machine-readable format. g. Validation of Security Measures All security measures described in the product s design documentation are properly implemented and mitigate the risks associated with use of the component or device. h. Third-Party Penetration Test The supplier shall provide with the results of a penetration test performed by a third-party penetration tester. may, at their discretion, recommend a penetration tester of their choosing. The third-party penetration test shall, at a minimum, but not limited to, determine the following: i. All ports and interfaces that the product has enabled and disabled for all configurations. ii. All services that are external to the product for all configurations of the product. The test shall determine operational, service, test and non-functional services of the product. iii. Measures implemented to prevent denial of service attacks on all ports, interfaces and services. iv. All ports, interfaces, and services are documented and that there exists no undocumented port, interface or service. v. All ports, interfaces and services that require authentication shall meet the requirements of the authentication section in the companion standard for the product ecosystem. vi. Vulnerabilities in the product are probed and provide conceptual exploits to attack the vulnerability. vii. Software and hardware weaknesses that are identified in the product that are in SANS WE Top 25 and OWASP Top 10 and/or otherwise negatively impact confidentiality, availability and integrity of the supplier product. i. Risk Assessment The supplier shall provide with a threat model and subsequent risk assessment that includes, at a minimum, but is not limited to: i. Risk criteria used to evaluate the significance of risk, including the level at which risk becomes acceptable. ii. Risk identification, including (but not limited to) all known vulnerabilities identified through testing and all software weaknesses per SANS WE Top 25 and OWASP Top 10 publicly available lists. 6
7 iii. Risk analysis, including consideration of the causes and sources of the risks and their consequences. iv. Risk evaluation, comparing the level of risk found during the analysis process with the established risk criteria to determine the acceptability of the risks. v. Additional risk control measures shall be implemented to address all known vulnerabilities and software weaknesses that have been determined to present an unacceptable level of risk. 5. Deployment and Maintenance Supplier shall provide with detailed installation, deployment, and configuration instructions, and, at the request of assistance in installation, deployment, and configuration that supplier warrants meets the expected security context resulting from meeting the requirements in this document. All supplied software products shall be authenticated through code signing. Supplier shall provide with a stated lifecycle of supplied product and shall provide with a maintenance plan that addresses both current and legacy products provided to. Supplier shall provide, at a minimum, but not be limited to, the following: a. Ongoing Vulnerability Assessment Supplier shall periodically apply all previously listed vulnerability assessment testing to the supplied products at a frequency of no less than once annually, and report any newly discovered vulnerabilities to within 15 days of being discovered. b. Patch Management and Deployment Supplier shall design all products with the ability to apply patches when needed and shall provide with the patch management plan. Supplier shall provide with tested, verified, and validated patches in a timely manner, to not exceed 90 days for any vulnerabilities found in SANS WE Top 25 and OWASP Top 10, or any vulnerabilities deemed critical by. All patches and provided updates shall be authenticated through code signing. c. Updates to Bill of Materials Supplier shall provide with an updated bill of materials per the previously stated requirement for any changes resulting from product updates, patches, etc. d. End of Life Supplier shall provide with a disposition plan for all software that has reached the supplier stated end of life. This plan shall include, at a minimum, but may not be limited to: i. Uninstallation instructions ii. Removing of confidential information (e.g. data and keys) iii. Transition plan to updated version of supplier product iv. Supplier warrant that expected security context remains intact About Synopsys Synopsys, Inc. (Nasdaq:SNPS) is the Silicon to Software partner for innovative companies developing the electronic products and software applications we rely on every day. As the world s 15th largest software company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP, and is also growing its leadership in software quality and security solutions. Whether you re a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing applications that require the highest quality and security, Synopsys has the solutions needed to deliver innovative, high-quality, secure products. The company is headquartered in Mountain View, California, and has approximately 113 offices located throughout North America, South America, Europe, Japan, Asia and India. Synopsys Inc. 185 Berry Street, Suite 6500 San Francisco, CA USA U.S. Sales: (800) International Sales: +1 (415) sales@coverity.com, Inc. All rights reserved. The registered trademarks of Synopsys used herein are registered in the U.S. and other countries. All other company and product names are the property of their respective owners.
SECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationTechnical Guidance and Examples
Technical Guidance and Examples DRAFT CIP-0- Cyber Security - Supply Chain Risk Management January, 0 NERC Report Title Report Date I Table of ContentsIntroduction... iii Background... iii CIP-0- Framework...
More informationMeasuring and Evaluating Cyber Risk in ICS Components, Products and Systems
Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems Copyright 2018 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationSecurity analysis and assessment of threats in European signalling systems?
Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationCyber Security for Process Control Systems ABB's view
Kaspersky ICS Cybersecurity 2017, 2017-09-28 Cyber Security for Process Control Systems ABB's view Tomas Lindström, Cyber Security Manager, ABB Control Technologies Agenda Cyber security for process control
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationISASecure SSA Certification for DeltaV and DeltaV SIS
ISASecure SSA Certification for DeltaV and DeltaV SIS Frequently Asked Questions This FAQ addresses questions around the scope and relevance of the ISASecure System Security Assurance certification applied
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationHP Standard for Information Protection and Security for Suppliers/Partners
HP Standard 14-04 for Information Protection and Security for Suppliers/Partners Document Identifier HX-00014-04 Revision and Date D, 01-Oct 2017 Last Re-validation date Abstract This standard describes
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationSoftware & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management
Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationChoosing the Right Security Assessment
A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationSeqrite Endpoint Security
Enterprise Security Solutions by Quick Heal Integrated enterprise security and unified endpoint management console Enterprise Suite Edition Product Highlights Innovative endpoint security that prevents
More informationInstitute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11
AUDITING ROBOTICS AND THE INTERNET OF THINGS (IOT) APRIL 9, 2018 PRESENTERS Kara Nagel Manager, Information Security Accenture Ryan Hopkins Assistant Director, Internal Audit Services Packaging Corp. of
More informationGuide to cyber security/cip specifications and requirements for suppliers. September 2016
Guide to cyber security/cip specifications and requirements for suppliers September 2016 Introduction and context The AltaLink cyber security/cip specification and requirements for suppliers (the standard)
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationGDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ
GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool Contact Ashley House, Ashley Road London N17 9LZ 0333 234 4288 info@networkiq.co.uk The General Data Privacy Regulation
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationSession 5311 Critical Testing Programs for Security Operations
Session 5311 Critical Testing Programs for Security Operations Introduction Neil Lakomiak UL Rodney Thayer Smithee Spelvin Agnew & Plinge, Inc. Coleman Wolf Environmental Systems Design, Inc. Testing Programs
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More information_isms_27001_fnd_en_sample_set01_v2, Group A
1) What is correct with respect to the PDCA cycle? a) PDCA describes the characteristics of information to be maintained in the context of information security. (0%) b) The structure of the ISO/IEC 27001
More informationAcceptable Use Policy
Acceptable Use Policy 1. Purpose The purpose of this policy is to outline the acceptable use of computer equipment at Robotech CAD Solutions. These rules are in place to protect the employee and Robotech
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationOhio Supercomputer Center
Ohio Supercomputer Center Security Notifications No: Effective: OSC-10 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationSecuring Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager
with the IEC 62443-4-2 Standard What You Should Know Vance Chen Product Manager Industry Background As the Industrial IoT (IIoT) continues to expand, more and more devices are being connected to networks.
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationEFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1
EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1 EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD ICTN 6823 BOYD AARON SIGMON EAST CAROLINA UNIVERSITY EFFECTIVE VULNERABILITY MANAGEMENT USING
More informationCybersecurity Technical Risk Indicators:
Cybersecurity Technical Risk Indicators: A Measure of Technical Debt Joe Jarzombek, CSSLP, PMP Global Manager, Software Supply Chain Solutions Synopsys Software Integrity Group Previously Director, Software
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationThis section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationINTERNATIONAL STANDARD
INTERNATIONAL STANDARD ISO/IEC 27039 First edition 2015-02-15 Corrected version 2016-05-01 Information technology Security techniques Selection, deployment and operations of intrusion detection and prevention
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationTRACKVIA SECURITY OVERVIEW
TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times
More informationPoint ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationAcceptable Use Policy
Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established
More informationДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT
ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ENERGY AUTOMATION - SMART GRID Restricted Siemens AG 20XX All rights reserved. siemens.com/answers Frederic Buchi, Energy Management Division, Siemens AG Cyber
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationVol. 1 Technical RFP No. QTA0015THA
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Core Infrastructure IPSS Concept of Operations Per the IPSS requirements, we provide the ability to capture and store packet
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationMarch 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices
March 6, 2019 Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices On July 21, 2016, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability
More informationCoverity Static Analysis Support for MISRA Coding Standards
Coverity Static Analysis Support for MISRA Coding Standards Fully ensure the safety, reliability, and security of software written in C and C++ Overview Software is eating the world. Industries that have
More informationIT ACCEPTABLE USE POLICY
CIO Signature Approval & Date: IT ACCEPTABLE USE POLICY 1.0 PURPOSE The purpose of this policy is to define the acceptable and appropriate use of ModusLink s computing resources. This policy exists to
More informationTAN Jenny Partner PwC Singapore
1 Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore PwC Singapore is honoured to be invited to contribute to the development of this guideline. Cybersecurity Risks
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationCybersecurity: Incident Response Short
Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability
More informationChapter 5: Vulnerability Analysis
Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationNIST Special Publication
DATASHEET NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Mapping for Carbon Black BACKGROUND The National Institute of Standards and Technology
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationNebraska CERT Conference
Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationWHITEPAPER. Security overview. podio.com
WHITEPAPER Security overview Podio security White Paper 2 Podio, a cloud service brought to you by Citrix, provides a secure collaborative work platform for team and project management. Podio features
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationJacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope
Jacksonville State University Acceptable Use Policy 1. Overview Information Technology s (IT) intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Jacksonville
More informationMonthly Cyber Threat Briefing
Monthly Cyber Threat Briefing January 2016 1 Presenters David Link, PM Risk and Vulnerability Assessments, NCATS Ed Cabrera: VP Cybersecurity Strategy, Trend Micro Jason Trost: VP Threat Research, ThreatStream
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationDONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY
DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an
More information